A massive EU privacy rule could bring an unexpected benefit for US consumers

New privacy regulations put in place by the European Union could benefit internet users in the U.S. (REUTERS/Francois Lenoir)

A massive European Union regulation going into effect next May could deliver an unexpected benefit on the other side of the Atlantic: letting you take your data from social networks that today don’t let you download what you uploaded — then move it to another network.

Data portability is good but often absent

Privacy rules traditionally stop a company from giving your data to others. But Article 20 of theGDPR’s roughly 54,000-word text says nothing about that. Instead, it requires that a company you’ve uploaded your data to give it back to you “in a structured, commonly used and machine-readable format” — that is, one that you could then move to a competing service. Other provisions require the original company to delete your old data on request.

In other words, data portability promotes privacy by removing an obstacle keeping you from taking your content and business elsewhere. It makes your contributions to a social network your property, not their hostage.

Enter the EU

The GDPR’s data-portability rules, however, apply to any company dealing with the data of EU residents, not just firms based in the EU. And violations of those rules can result in fines of €20 million or 4% of a company’s worldwide annual revenue, whichever is higher.

“This new portability requirement will start to level the competitive playing field amongst social media networks,” predicted Angela Saverice-Rohan, privacy leader for the Americas atErnst & Young, LLP. “It will presumably force enhanced services for consumers and privacy policies/data usage practices that reflect what users really want, lest they exercise their newfound ability to walk away with all of their data.”

Representatives for Facebook and Oath said the firms would comply with the GDPR but didn’t say if they’d bring new data-portability mechanisms to U.S. users.

Jules Polonetsky, CEO ofFuture of Privacy Forum, said U.S.-based firms lacking data-portability features will provide them in the States as well as the U.K. to avoid having different products on each side of the Atlantic.

“In the past most major consumer tech companies have rolled out features globally, despite differences in US and EU law,” he wrote in an email. “Early indications are that many will continue to do so.”

Other GDPR features

The GDPR imposes dozens of other requirements on companies, but only some are likely to shape user experiences in the States.

“Expect much more granular privacy notices and changes to the end-user experience” to make sure users know what they agree to,” EY’s Saverice-Rohan said, noting that these extra wrinkles “may be seen as a bit of a hassle.”

But expect the GDPR’s “right to erasure” — the ability to get a site to delete its data about you — to get the same lack of official support in the U.S. as the“right to be forgotten” doctrine requiring search engines to stop linking to information that EU residents find embarrassing or irrelevant.

Conversely, the Future of Privacy Forum’s Polonetsky noted that the GDPR may lead to Europeans missing out on some services if companies decide it will be too hard to get and confirm a consumer’s consent to use them.